Threat Source newsletter (Oct. 20, 2022) — Shields Up! No seriously, Shields Waaaaay Up

Thursday, October 20, 2022 14:10

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

I’m very excited about this video — it’s a project I’ve been working on with my team for a while now. Building off what I’ve written about in the past regarding fake news, this video examines what essentially equates to the propaganda being spread on social media during Russia’s invasion of Ukraine.

So far, these cyber attacks don’t seem to have had any major effects or disruptions so far, but I just think it’s worth noting that these groups are just as active as ever, which is what the U.S. government has been warning us about since the onset of Russia’s invasion.

While there are many Russian actors who are incredibly sophisticated and may want to carry out high-profile attacks, Killnet is a less “formal” group and more of a collection of an online angry mob looking to just wreak whatever havoc it can. This group does not have any formal goals in mind, per se, and doesn’t seem to be motivated by specific state interests or trying to generate millions of dollars of revenue. They just want to be disruptive and make life harder for their targets.
And in some ways, this is worse for defenders because it’s impossible to predict where this group is going to strike next. It’s not easy enough to say, “Well, it’s back-to-school season, so education sectors are more likely to be targeted.”

Groups like Killnet don’t seem to care about specific timing or trying to “strike while the iron’s hot.” After all, it’s not like last week was a particularly busy travel season in the U.S. so they really wanted to hit the aviation industry when it hurts the most.

It can be tiring to hear the same warnings repeatedly about how Russian state-sponsored actors are going to target Western entities. But even though they can become repetitive, these warnings are backed up with real-world examples and show that users and defenders from all industries need to be always on their toes.

The one big thing

A new attack and C2 framework called "Alchimist” is actively targeting Windows, Linux, and macOS systems in various cyber attacks. Alchimist offers a web-based interface using the Simplified Chinese language is very similar to Manjusaka, another new framework Talos recently discovered and is becoming increasingly popular among Chinese threat actors. Both frameworks have significant similarities, but there are enough technical differences that Talos believes they were likely written by different authors.

Top security headlines from the week

The Qakbot access-as-a-service group is active again after a few months of being relatively quiet, this time using several different second-stage payloads to allow other groups to execute follow-on attacks. Qakbot-infected systems have seen the group use Brute Ratel, a simulation platform commonly used by penetration testers, the Emotet botnet and Cobalt Strike. Black Basta is one such group that’s been spotted acquiring access to targeted systems via Qakbot. In that group’s case, it uses Brute Ratel to move laterally to other systems on the network and execute various malicious payloads. (Dark Reading, Decipher)

Australia is becoming an increasingly popular target for threat actors, including several high-profile companies that were recently hit with cyber attacks. A new study found there was an 81 percent increase in cybersecurity incidents in Australia between July 2021 and June 2022, with most of that jump coming in 2022. The Australian government is already looking at new cybersecurity standards and laws, including new rules forcing cyber attack targets to notify banks faster if there is a data breach, specifically highlighting a recent breach at Optus, one of the country’s largest telecommunications companies. Medibank, a massive health insurance company, was also hit with a cyber attack this week, although it said there is currently no evidence of sensitive information or customer data being affected. (Computer Weekly, Reuters, Bloomberg)

Social media and online advertising platforms have been slow to adopt new rules and regulations around fake news and disinformation related to birth control and abortion care. Several months removed from the Supreme Court’s ruling overturning Roe v. Wade, there are still massive amounts of misleading advertising, fake news links and incorrect information floating around on online platforms without any flags. Abortion rights advocates say that this issue has only gotten worse since the ruling. A new study from the Institute for Strategic Dialogue states that sites like TikTok, YouTube and Meta have allowed disinformation and misinformation about abortion care rights and laws to be monetized and spread. (Axios, Institute for Strategic Dialogue)

Can’t get enough Talos?

• Talos Takes Ep. #117: Tips for kickstarting your cybersecurity career
• The benefits of taking an intent-based approach to detecting Business Email Compromise
• Threat Roundup for Oct. 7 - 14
• Researchers detail new C2 attack framework targeting Windows, macOS and Linux
• Talos EMEA Threat Update (Oct. 2022): An overview of the current ransomware landscape
• Intent-based approach leverages neural networks to deliver targeted classifications to BECs

**Upcoming events where you can find Talos
****Most prevalent malware files from Talos telemetry over the past week
**

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645 MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02

SHA 256: f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
MD5: df0b88dafe7a65295f99e69a67db9e1b
Typical Filename: avi.exe
Claimed Product: N/A
Detection Name: Gen:Variant.Lazy.228707

SHA 256: 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c MD5: 3d1212389bfcdc91be084e6c093a32a1
Typical Filename: sysrdsvms.exe
Claimed Product: N/A
Detection Name: Gen:Trojan.FWDisable.emW@a8FOMod

SHA 256: 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431
MD5: 147c7241371d840787f388e202f4fdc1
Typical Filename: eksplorasi.exe
Claimed Product: N/A
Detection Name: W32.Generic:Rontokbromm.21dz.1201